Archive

Grum, one of the largest spamming botnets, suspected to be responsible for over 17% of worldwide spam (as described here), which was “killed” in July 2012, still lives. We have been tracking its activity since January 2013. We can confirm spiderlab’s doubts about the grum killing published in March 2013. The following article provides some details about registered grum activity.

We have seen grum activity on following sites:

servercafe.ru

hub.werbeayre.com

sec.newcontrrnd.com

sec.convertgame.com

Every bot client generates its own identification number (ID) on its first run. The length of the ID is 32 characters. The first three correspond with a bot version and the other 29 characters are randomly generated. It is also set to the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\BITS\ID registry key, which is queried on every run.

After the bot sets its ID, it tries to connect to a C&C server.

1) The bot contacts C&C server with a HTTP GET request to get the FQDN of the client’s computer

http://%server/spm/s_get_host.php?ver=%botVer

2) The information is used to contact one of the SMTP servers obtained from DNS MX records from following domains which are used for sending spam: